This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to thefollowing package versions:

Ubuntu 8.04 LTS: sudo 1.6.9p10-1ubuntu3.4

Ubuntu 8.10: sudo 1.6.9p17-1ubuntu2.1

In general, a standard system upgrade is sufficient to effect thenecessary changes.

Details follow:

Harald Koenig discovered that sudo did not correctly handle certainprivilege changes when handling groups. If a local attacker belongedto a group included in a "RunAs" list in the /etc/sudoers file, thatuser could gain root privileges. This was not an issue for the defaultsudoers file shipped with Ubuntu.